39

I know there is one similar question on Stackoverflow, but none of the solution there worked for me.

<form autocomplete="off" id="search_form" method="post" action="">
    <input autocomplete="off" type="text" />
</form>

As you can see, I put autocomplete=off on BOTH the form and the input field, but Google Chrome still displays this autocompletion list. This doesn't happen in other browsers like Firefox and Safari.

Any other solution other than putting autocomplete=off on the form tag??

rink.attendant.6
  • 44,500
  • 61
  • 101
  • 156
user2492270
  • 2,215
  • 6
  • 40
  • 56
  • 2
    Which doctype are you using? – Adrift Aug 19 '13 at 03:37
  • 1
    Have you disabled all your Chrome add-ons? – j08691 Aug 19 '13 at 03:43
  • 1
    If you know there is similar, or essentially the same, question on SO, you should at least cite it. But preferably, contribute to improving answers to an existing question, instead of spawning new copies of a question, with varying sets of answers. – Jukka K. Korpela Aug 19 '13 at 07:31
  • It's a bug in Chrome. I have ` ` and `autocomplete="off"` on both the form and the field, and it STILL auto-completes, even putting my email address in the wrong field with `name="user[credit_card]"`! – Chloe May 05 '14 at 19:12
  • 4
    I know this has been marked as duplicate, but here's my solution. Setting the autocomplete attribute to "off" does not disable Chrome autofill in more recent versions of Chrome. Instead you must set autocomplete on each input as follows `` you can set autocomplete to anything besides "on" or "off" and it will disable Chrome autofill – camiblanch May 06 '15 at 15:27
  • I was able to get around this issue by specifying the label to point to a non-existent field + adding a dummy "name" for the input field. `` – Shane Rowatt May 24 '15 at 00:43
  • Not sure if it's a universal solution, but I had to add a `name` attribute to the input to get `autocomplete="off"` to work. – jordajm Aug 11 '15 at 21:00
  • For Chrome use: autocomplete="nope" It seems funny but it works! However this won't work for Firefox or other browsers. For them you can add the autocomplete="off" to the form element. If you are using web forms your form element is in the master page. – Amir Tofighi Aug 08 '18 at 20:13
  • as of 31/12/2022, the solution "new-password" seems to be adaptable to any registered form data inside Chromium based browsers : for example if you add autocomplete="new-user-street-address-email-password-phone" to your form as attribute, the corresponding data will not be autocompleted. – Fabien Auréjac Dec 31 '22 at 14:50
  • use this -> autocomplete="new-password" (worked great!!!) – H.jalali May 26 '23 at 21:21

6 Answers6

25

This is due to a design decision made by Chrome (arguably any Chrome user wants this behaviour).

The reason for this is what Google calls priority of constituencies:

  1. The user is king! What they want matters most.
  2. The user wants to use a password or autofill manager.
  3. The web application says it doesn't want the form values to be saved.
  4. The user's choice is more important, so the form values are retained.

There are ways to work round, but it's highly likely that those will be fixed in future Chrome versions as the Chrome developers regard their behaviour as correct and your workaround as a bug.

Even while your workaround does work it creates confusing behaviour for the user - they expect autofill to work according to their settings.

Many users already chose to ignore app autocomplete settings with plug-ins or scripts that just remove any autocomplete=off in the page - they already had that choice anyway.

You're best off designing with the assumption that autocomplete can work and accounting for that.

Personally I hate it when sites don't recall my password and override those that do with browser extensions. However I also create applications for my job and there recalling passwords is seen as a security risk, as a user might leave their machine unlocked. In my personal opinion users not locking their machines is an issue for local IT, not the application, and local IT can disable all password autocomplete for all web applications if their users can't be trusted.

Unfortunately to pass the security checks some applications still have to disable autocomplete, there are ways to do it, but they're all horrible. The first hack is to make the password input completely new:

<input type="hidden" name="password" id="realPassword" />
<input type="password" name="{randomly generated}" 
    onchange="document.getElementById('realPassword').value = this.value" />

I've inlined everything to simplify, but this should give you an idea of the hack - no plug in or browser can auto-fill an input with a completely new name.

This solution breaks if you properly build in ARIA and labels (as that lets the browser/extension find and autofill the input from the label).

So option 2, also horrible, is to wait until after the autocomplete has fired and then blank the field:

<input type="text" name="username" 
    onchange="window.setTimeout(function() { 
        document.getElementById('password').value = ''; 
    }, 100)" />
<input type="password" id="password" />

Like I said, nasty.

Keith
  • 150,284
  • 78
  • 298
  • 434
  • 2
    USE CASE: I have a web-app cash register in my retail store. I have multiple employees using this web app. In no way do i want a password manager, because MY admin password would be stored, and non-admin users could more easily access. – Blair Anderson Feb 25 '15 at 17:52
  • 3
    @BlairAnderson yes - so you would want autocomplete to always be off for that machine. Turn it on for your personal machine, off for the shared one - in either case whether to autocomplete is a choice of the local browser, not the application. – Keith Mar 15 '15 at 10:46
  • So many downvotes - anyone mind explaining why this is a bad answer before voting down? – Keith Jun 05 '15 at 09:42
  • Thank you for saving a day! nothing worked, and your solution simply did. – 3xCh1_23 Jun 15 '16 at 19:18
  • When consumers are building unique products this feature is not helpful at all it is inserting random data for consumers causing poor data quality, it is causing waste of manufacturing time and resources for improperly configured product. Honoring autocomplete="off" would be simple and prevent security/poor data/waste. Does anyone understand how the mantle defined in the spec could be changed? We want the first mantle,autofill expectation mantle. but chrome appears to be using autofill anchor mantle https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill-anchor-mantle – ledlogic Oct 28 '20 at 15:19
  • @ledlogic I think there are legacy reasons for `autocomplete="off"` not working that are a bit of a mess to fix now. I don't think changing this behaviour is simple unfortunately. – Keith Oct 29 '20 at 18:33
  • `Even while your workaround does work it creates confusing behaviour for the user - they expect autofill to work according to their settings.` you know what's more confusing for the user? when google's autocomplete tries to fill in a field with a value that makes absolutely no sense. There's no way in a million years this shouldn't be able to be easily disabled by the developer. I'm literally using a google UI library (material UI for react) and their own autocomplete breaks one of their inputs. – ICW Apr 25 '22 at 21:05
  • @ICW I completely agree - work with autocomplete, not against it. Doing either of the hack I suggest in this answer will make your application worse (and it's much worse now than when I originally answered, 8yo). But... sometimes you have to. I've seen this IRL in response to a (very poorly done) penetration test where they insisted that remembering passwords was a risk (wrong) and my bosses at the time insisted on that being 'fixed'. – Keith Apr 27 '22 at 20:50
  • Calling functions on password fields got flagged by our security team. It's autofilling the wrong field if some fields are disabled, and I can't disable autofill because "autocomplete=off" doesn't work in chrome. – Collin Aug 23 '22 at 19:43
8

It may be a bug on Google Chrome, you can't cheat by create an hidden input over. Auto complete feature will get the first input text to fill data.

<form autocomplete="off" id="search_form" method="post" action="">
    <input type="text" style="display:none" />
    <input autocomplete="off" type="text" />
</form>
Bedonkey
  • 169
  • 1
  • 8
  • 5
    This hack no longer works, as of Chrome 34 – Keith Jul 22 '14 at 10:10
  • 7
    You can also set autocomplete to a random string such as "noautocomplete" or something other than "on". The browser is built to recognize "off", but not random strings. Doing so will disable the browser autofill – camiblanch Aug 21 '15 at 15:54
2

This seems to be a recurrent issue in Google Chrome, although adding autocomplete off to the form did work in my build. Maybe in newer versions it doesn't anymore.

This is a hack. Give your input an id, say foo, and in JavaScript:

if (navigator.userAgent.toLowerCase().indexOf('chrome') >= 0) {
    setTimeout(function () {
        document.getElementById('foo').autocomplete = 'off';
    }, 1);
}

Check if this works for you. The only downside to it would be that for those who use Chrome and have JavaScript disabled, the field would still be autocompleted.

Community
  • 1
  • 1
federico-t
  • 12,014
  • 19
  • 67
  • 111
2

The autocomplete attribute is new in HTML5.

Since you haven't mentioned the DOCTYPE, I think this is the only possible reason could be this. For further details check MDN's How to Turn Off Form Autocompletion.

Try adding the following HTML5 DOCTYPE.

<!DOCTYPE html>

FYI: In some browsers you may need to activate an autocomplete function for this to work (Look under "Preferences" in the browser's menu).

You're using it in a correct way mentioning autocomplete attribute under form element. However you don't need it to be mentioned separately for input tag.

<form autocomplete="off" id="search_form" method="post" action="">
    <input type="text" />
</form>

Update: Here you can find a list of solutions in autocomplete attribute and web documents using XHTML.

Lifeweaver
  • 986
  • 8
  • 29
Praveen
  • 55,303
  • 33
  • 133
  • 164
  • Would you mind citing your source for that quote? – rink.attendant.6 Aug 19 '13 at 04:25
  • I just spent a good portion of time looking at that page and it doesn't contain that quote; neither did anything on Google apart from this page itself. – rink.attendant.6 Aug 19 '13 at 04:41
  • 1
    @rink.attendant.6 The quote is used is from http://www.w3schools.com/tags/att_input_autocomplete.asp. MDN is widely accepts whereas W3Schools is not. – Praveen Aug 19 '13 at 04:45
  • Although some of the answers to this question may have worked in the past, currently one way to prevent the browser from popping up the password manager is to have at least two separate additional hidden password inputs, each with different dummy values, like so: http://stackoverflow.com/a/41882977/5150013 – code4kix Jan 26 '17 at 22:27
  • Adding a surrounding `
    ` worked great in Chrome 87 for me!
     – user3413723 Jan 11 '21 at 17:31
1

try this, worked for me after messing about for a bit

if ( navigator.userAgent.toLowerCase().indexOf('chrome') >= 0 ) {
    $('input[autocomplete="off"]').each( function(){
        var type = $(this).attr( 'type');
        $(this).attr( 'type', '_' + type );
        $(this).attr( 'type', type );
    });
}
Luke Snowden
  • 4,056
  • 2
  • 37
  • 70
0

if you are using AJAX call to submit data to backend. After completing AJAX call, password fields should be clear. Then password save prompt will not be popped.

Eg: $(#foo).val("");

Sirikumara
  • 1
  • 1